1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN">
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
19 NAME="WINBINDD">winbindd</H1
27 >winbindd -- Name Service Switch daemon for resolving names
30 CLASS="REFSYNOPSISDIV"
38 > [-F] [-S] [-i] [-B] [-d <debug level>] [-s <smb config file>] [-n]</P
48 >This program is part of the <A
57 > is a daemon that provides
58 a service for the Name Service Switch capability that is present
59 in most modern C libraries. The Name Service Switch allows user
60 and system information to be obtained from different databases
61 services such as NIS or DNS. The exact behaviour can be configured
64 >/etc/nsswitch.conf</TT
66 Users and groups are allocated as they are resolved to a range
67 of user and group ids specified by the administrator of the
70 >The service provided by <B
73 > is called `winbind' and
74 can be used to resolve user and group information from a
75 Windows NT server. The service can also provide authentication
76 services via an associated PAM module. </P
81 > module in the 2.2.2 release only
93 module-types. The latter simply
94 performs a getpwnam() to verify that the system can obtain a uid for the
98 > library has been correctly
99 installed, this should always succeed.
102 >The following nsswitch databases are implemented by
103 the winbindd service: </P
113 >User information traditionally stored in
121 > functions. Names are
122 resolved through the WINS server or by broadcast.
129 >User information traditionally stored in
143 >Group information traditionally stored in
156 >For example, the following simple configuration in the
159 >/etc/nsswitch.conf</TT
160 > file can be used to initially
161 resolve user and group information from <TT
169 Windows NT server. </P
178 CLASS="PROGRAMLISTING"
179 >passwd: files winbind
187 >The following simple configuration in the
190 >/etc/nsswitch.conf</TT
191 > file can be used to initially
192 resolve hostnames from <TT
214 >If specified, this parameter causes
218 > process to not daemonize,
219 i.e. double-fork and disassociate with the terminal.
220 Child processes are still created as normal to service
221 each connection request, but the main process does not
222 exit. This operation mode is suitable for running
226 > under process supervisors such
234 from Daniel J. Bernstein's <B
238 package, or the AIX process monitor.
245 >If specified, this parameter causes
249 > to log to standard output rather
256 >Sets the debuglevel to an integer between
257 0 and 100. 0 is for no debugging and 100 is for reams and
258 reams. To submit a bug report to the Samba Team, use debug
259 level 100 (see BUGS.txt). </P
269 become a daemon and detach from the current terminal. This
270 option is used by developers when interactive debugging
278 > also logs to standard output,
282 > parameter had been given.
289 >Disable caching. This means winbindd will
290 always have to wait for a response from the domain controller
291 before it can respond to a client and this thus makes things
292 slower. The results will however be more accurate, since
293 results from the cache might not be up-to-date. This
294 might also temporarily hang winbindd if the DC doesn't respond.
301 >Dual daemon mode. This means winbindd will run
302 as 2 threads. The first will answer all requests from the cache,
303 thus making responses to clients faster. The other will
304 update the cache for the query that the first has just responded.
305 Advantage of this is that responses are accurate and fast.
309 >-s|--conf=smb.conf</DT
312 >Specifies the location of the all-important
327 >NAME AND ID RESOLUTION</H2
329 >Users and groups on a Windows NT server are assigned
330 a relative id (rid) which is unique for the domain when the
331 user or group is created. To convert the Windows NT user or group
332 into a unix user or group, a mapping between rids and unix user
333 and group ids is required. This is one of the jobs that <B
338 >As winbindd users and groups are resolved from a server, user
339 and group ids are allocated from a specified range. This
340 is done on a first come, first served basis, although all existing
341 users and groups will be mapped as soon as a client performs a user
342 or group enumeration command. The allocated unix ids are stored
343 in a database file under the Samba lock directory and will be
346 >WARNING: The rid to unix id database is the only location
347 where the user and group mappings are stored by winbindd. If this
348 file is deleted or corrupted, there is no way for winbindd to
349 determine which user and group ids correspond to Windows NT user
360 >Configuration of the <B
364 is done through configuration parameters in the <TT
368 > file. All parameters should be specified in the
369 [global] section of smb.conf. </P
376 HREF="smb.conf.5.html#WINBINDSEPARATOR"
381 >winbind separator</I
389 HREF="smb.conf.5.html#WINBINDUID"
402 HREF="smb.conf.5.html#WINBINDGID"
415 HREF="smb.conf.5.html#WINBINDCACHETIME"
420 >winbind cache time</I
428 HREF="smb.conf.5.html#WINBINDENUMUSERS"
433 >winbind enum users</I
441 HREF="smb.conf.5.html#WINBINDENUMGROUPS"
446 >winbind enum groups</I
454 HREF="smb.conf.5.html#TEMPLATEHOMEDIR"
467 HREF="smb.conf.5.html#TEMPLATESHELL"
480 HREF="smb.conf.5.html#WINBINDUSEDEFAULTDOMAIN"
485 >winbind use default domain</I
500 >To setup winbindd for user and group lookups plus
501 authentication from a domain controller use something like the
502 following setup. This was tested on a RedHat 6.2 Linux box. </P
506 >/etc/nsswitch.conf</TT
517 CLASS="PROGRAMLISTING"
518 >passwd: files winbind
535 > lines with something like this: </P
544 CLASS="PROGRAMLISTING"
545 >auth required /lib/security/pam_securetty.so
546 auth required /lib/security/pam_nologin.so
547 auth sufficient /lib/security/pam_winbind.so
548 auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok
555 >Note in particular the use of the <TT
568 >Now replace the account lines with this: </P
572 >account required /lib/security/pam_winbind.so
576 >The next step is to join the domain. To do that use the
580 > program like this: </P
584 >smbpasswd -j DOMAIN -r PDC -U
588 >The username after the <TT
594 Domain user that has administrator privileges on the machine.
595 Substitute your domain name for "DOMAIN" and the name of your PDC
600 >libnss_winbind.so</TT
612 >. A symbolic link needs to be
615 >/lib/libnss_winbind.so</TT
619 >/lib/libnss_winbind.so.2</TT
620 >. If you are using an
621 older version of glibc then the target of the link should be
624 >/lib/libnss_winbind.so.1</TT
627 >Finally, setup a <TT
630 > containing directives like the
640 CLASS="PROGRAMLISTING"
642 winbind separator = +
643 winbind cache time = 10
644 template shell = /bin/bash
645 template homedir = /home/%D/%U
646 winbind uid = 10000-20000
647 winbind gid = 10000-20000
657 >Now start winbindd and you should find that your user and
658 group database is expanded to include your NT users and groups,
659 and that you can login to your unix box as a domain user, using
660 the DOMAIN+user syntax for the username. You may wish to use the
668 > to confirm the correct operation of winbindd.</P
678 >The following notes are useful when configuring and
687 > must be running on the local machine
695 queries the list of trusted domains for the Windows NT server
696 on startup and when a SIGHUP is received. Thus, for a running <B
699 > to become aware of new trust relationships between
700 servers, it must be sent a SIGHUP signal. </P
702 >Client processes resolving names through the <B
706 nsswitch module read an environment variable named <TT
708 > $WINBINDD_DOMAIN</TT
709 >. If this variable contains a comma separated
710 list of Windows NT domain names, then winbindd will only resolve users
711 and groups within those Windows NT domains. </P
713 >PAM is really easy to misconfigure. Make sure you know what
714 you are doing when modifying PAM configuration files. It is possible
715 to set up PAM such that you can no longer log into your system. </P
717 >If more than one UNIX machine is running <B
721 then in general the user and groups ids allocated by winbindd will not
722 be the same. The user and group ids will only be valid for the local
725 >If the the Windows NT RID to UNIX user and group id mapping
726 file is damaged or destroyed then the mappings will be lost. </P
736 >The following signals can be used to manipulate the
754 file and apply any parameter changes to the running
755 version of winbindd. This signal also clears any cached
756 user and group information. The list of other domains trusted
757 by winbindd is also reloaded. </P
763 >The SIGUSR1 signal will cause <B
766 > to write status information to the winbind
767 log file including information about the number of user and
768 group ids allocated by <B
773 >Log files are stored in the filename specified by the
774 log file parameter.</P
794 >/etc/nsswitch.conf(5)</TT
798 >Name service switch configuration file.</P
801 >/tmp/.winbindd/pipe</DT
804 >The UNIX pipe over which clients communicate with
808 > program. For security reasons, the
809 winbind client will only attempt to connect to the winbindd daemon
816 >/tmp/.winbindd/pipe</TT
821 >/lib/libnss_winbind.so.X</DT
824 >Implementation of name service switch library.
828 >$LOCKDIR/winbindd_idmap.tdb</DT
831 >Storage for the Windows NT rid to UNIX user/group
832 id mapping. The lock directory is specified when Samba is initially
833 compiled using the <TT
839 This directory is by default <TT
841 >/usr/local/samba/var/locks
846 >$LOCKDIR/winbindd_cache.tdb</DT
849 >Storage for cached user and group information.
863 >This man page is correct for version 3.0 of
876 >nsswitch.conf(5)</TT
889 HREF="smb.conf.5.html"
902 >The original Samba software and related utilities
903 were created by Andrew Tridgell. Samba is now developed
904 by the Samba Team as an Open Source project similar
905 to the way the Linux kernel is developed.</P
914 were written by Tim Potter.</P
916 >The conversion to DocBook for Samba 2.2 was done